Your SlideShare is downloading. ×
0
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sarbanes-Oxley Section 404 Compliance Process Improvement: A ...

1,553

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,553
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
54
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Sarbanes-Oxley Section 404 Compliance Process Improvement: A Financial Reporting Risk Management Model Presented by: John A. Wheeler - Senior Vice President, Financial Reporting Risk Management Dan Shaughnessy – Partner, KPMG LLP May 2006
  • 2. Discussion Agenda 1. A quick review of SunTrust's journey through two years of Sarbanes Oxley Compliance. Lessons learned from year one and best practices achieved in year two. 2. Sustainable compliance: How SunTrust has leveraged a diverse team and technology to create a sustainable process for effective compliance. 3. Future vision: How SunTrust and others can leverage SOX compliance activities into other initiatives. 1
  • 3. About SunTrust • 9th largest U.S. commercial bank based on total revenue • Headquartered in Atlanta, Georgia • As of December 31, 2005, total assets of $179 billion • Footprint: Alabama, Arkansas, Florida, Georgia, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Virginia, West Virginia, District of Columbia • Employees: more than 33,000 2
  • 4. First Year Program Implementation Challenges • Interpreting guidance from PCAOB – Definition of testing – Role definition (External Audit vs. Internal Audit) – Amount of reliance placed on Internal Audit • Narrowing scope on key financial controls while not minimizing importance of operational or “non-key” controls • Overcoming fatigue from 2003 “dry-run” and re-scoping effort • Refining materiality definition / criteria and streamlining reporting process • Coordinating efforts within the lines of business to minimize disruption to business operations 3
  • 5. Lessons Learned • Carefully manage scope • Improve coordination with external auditor • Foster business unit ownership of processes and compliance • Build quality assurance into process • Plan early and communicate often • Devote more time to training • Shift control testing activities to skilled resources to – increase quality – minimize disruption to business activities • Automate to facilitate documentation, deficiency tracking and communication among the various stakeholders (i.e. Executive Management, Business Unit Management, Internal Audit, External Audit, etc.) 4
  • 6. What is Sustained Compliance? • Sustained Compliance means building a better, more embedded, compliance “infrastructure” based on the elements of the control environment. • Sustained Compliance implies embedding the spirit of Ethics and Integrity and the process of Compliance into the organization’s way of doing business. Sustaining compliance becomes the “platform” for continuous improvement. Achieving this implies: Identify/implement changes to • Success is not sustained by IMPROVE ongoing performance “heroic” exertion • Establishing a compliance program leading to a control environment/culture, not Design and implement “infrastructure” episodic compliance projects required to SUSTAIN it • Assessing and addressing risk is a competence defined for all Focus first-year efforts to roles FULLY COMPLY • Establishing an ethical culture that guides behavior at all levels 5
  • 7. 2005 Sarbanes-Oxley Program Strategic Decisions • Established Financial Reporting Risk Management Group with skilled resources to facilitate and oversee compliance program for SOX 302 & 404 • Assigned responsibility for performing management testing of key financial reporting controls to Audit Services • Leveraged LOB / Function Risk Management infrastructure to maintain required control documentation and execute remediation action plans • Implemented a software solution to facilitate SOX documentation and reporting • Evolved SOX 404 Implementation Steering Committee to a permanent Financial Reporting Risk Committee reporting to the Disclosure Committee 6
  • 8. 2005 Sarbanes-Oxley Program Timeline Q1 Q2 Q3 Q4 1) 2004 Wrap-up / 404 Report Transition 2) Program Mgt. & FSRA Program Oversight & Update FSRA Scope 3) Documentation & Update Maintain & Assess Assessment 4) Test & Evaluate Control Testing Y/E Update Effectiveness 5) Deficiency 2004 Follow-up 2005 Remediation Remediation 6) SOX Section 302 Monitoring / Certification 7) Automation Implementation Ongoing Management = Quarterly Disclosure Review & CEO/CFO Certification 7
  • 9. 2005 Sarbanes-Oxley Program Structure CEO / /CFO CEO CFO Audit Committee Audit Committee Disclosure Committee Disclosure Committee Financial Reporting Financial Reporting Line of Control Committee Control Committee External External Line of Business / / Audit / / Audit Business Function Internal Internal Function Heads Financial Reporting Risk Management Audit Audit Heads Financial Reporting Risk Management Line of Business / /Function Risk Managers & Process Owners Line of Business Function Risk Managers & Process Owners 8
  • 10. FRRM Organizational Structure Test & Evaluate Operating Effectiveness – Internal Audit Financial Reporting Risk Management Senior Risk Officer Administration Risk Assessment / Documentation & Deficiency Remediation Program Management Financial Analysis Assessment & Classification Responsibilities • Project Management • Risk Assessment • Entity-wide Control • Testing Result Monitoring • Organization & Methodology Assessment • Deficiency Tracking / Communication • Financial Statement • Financial Cycle / Control Reporting • Issue Management / Analysis / Scope Documentation • Deficiency Classification Escalation • Section 302 Control • IT General Control • Remediation Action Plan • Transition / Change Change Impact Analysis Documentation Monitoring Management • Control Deficiency Impact • External Service Provider / • Section 302 Monitoring / • System Implementation Analysis SAS 70 Review Certification • Software / Database Administration • Reporting Line of Business / Function Risk Management 9
  • 11. Financial Statement Risk Assessment & Scoping • Perform initial Financial Statement Risk Assessment (FSRA) based on 2004 year-end financials • Use quantitative and qualitative measures to determine significant accounts • Define significant cycles and processes • Communicate scope changes to risk managers • Re-perform FSRA quarterly 10
  • 12. Scoping and Planning Materiality 2005 Planning Materiality Matrix Materiality High Risk Lower Risk Overall Materiality 5% of pre-tax income 5% of pre-tax income Reduction/haircut 50% 25% Planning Materiality 2.5% of 3.75% of pre-tax income pre-tax income SunTrust 3% of Planning Materiality pre-tax income ($85 Million) Account Totals Balance Sheet Income Statement 178 Accounts 48 Accounts 11
  • 13. Documentation and Assessment - Key Concepts • Standardization of documentation – COBIT used as framework for ITGC documentation – Third Party Service Provider – standard evaluation template • Engagement of external consultants to assist • Ownership by Lines of Business key to success • Risk Manager and Line of Business Head Sign-off required at end of documentation phase • Documentation to be reviewed and updated quarterly 12
  • 14. 2005 Deficiency Classification Process • Major Phases Deficiency Escalation of Deficiency Deficiency & Approval Management Identification Classification by FRC Reporting Committee Evaluate qualitative Escalation of and quantitative deficiencies to Report to FRC Evaluate results from factors with Financial Reporting Committee, Internal Audit, assistance of Risk Control (FRC) Disclosure Committee External Audit and Manager and develop Committee and and Audit Committee Regulatory Agencies recommended Disclosure Committee (as needed) classification (as needed) …management must exercise judgment in a reasonable manner in the evaluation of deficiencies in internal control over financial reporting, and such evaluations may appropriately consider both qualitative and quantitative analyses.” Commission Statement on Implementation of Internal Control Reporting Requirements 2005-74 (SEC, May 16, 2005) 13
  • 15. 2005 Deficiency Classification Criteria Financial Reporting Risk Management will use the following Deficiency Classification Criteria agreed upon by the FRC Committee Classification of Likelihood of Potential Magnitude of Potential Magnitude of Financial Reporting Misstatement Income Statement Balance Sheet Misstatement* Control Deficiency Misstatement * Internal Control Either remote or less Inconsequential Inconsequential Deficiency than a 10% chance Less than 1/2% of pre-tax Less than 1/2% of total equity income (approx. $80 million) (approx. $14 million) Significant More than remote and More than Inconsequential More than Inconsequential Deficiency more than a 10% Greater than 1/2% of pre-tax Greater than 1/2% of total chance income equity (approx. $14 million) (approx. $80 million) Material Weakness More than remote and Material Material more than a 10% Greater than 5% of pre-tax Greater than 5% of total equity chance income (approx. $800 million) (approx. $141 million) * Consideration will be given to the impact of known and/or potential misstatements on annual and interim financial statements. 14
  • 16. Sarbanes-Oxley Compliance Software Selection • Considerations: Users: • Controls repository • Financial Reporting Risk • Documentation repository Management • Test results • Risk Managers • Certification • Process Owners • Workflow • Internal Audit • Security • Executive Management • Audit trails • External Audit • Reporting Leading Vendors: • OpenPages • Certus • Paisley Consulting • Handysoft • IBM • Stellent 15
  • 17. 2006 and Beyond – Continuous Improvement • Entity-wide assessment – timely execution • Risk assessment to minimize testing • Interpreting guidance from PCAOB & SEC • Continuous enhancement of end-user computing controls 2006+ • Leveraging knowledge of controls and optimizing control portfolio to bring value 2005 • Ongoing management of external audit relationship – strengthen communication 2004 • Embedding efforts within the lines of business to foster accountability and ownership of risks 16
  • 18. How Did the Marketplace Get Here? Transformation n The pendulum has moved from Performance-focused to Control-focused as Optimization Business Benefit market and regulatory drivers have changed in the last 5 years. Rationalization n 2006 and Sustainability Beyond Control Compliance Focused Control Risk / Controls Improvement Biased Performance And Control Time Optimized Today Performance Biased S-O 404 Regarding SOX, most companies Y2K started with a compliancy focus and Performance Focused have entered into sustainability. Some Late 1990’s are finding it difficult to move into rationalization. Business Improvement 17
  • 19. Analysis of Control Data All Processes One Process 18
  • 20. Sample Reporting: Opportunity Analysis Based on Current Control Data Significant Opportunity 19
  • 21. Sample Reporting - Summary of Control Transformation/Elimination Opportunities Financial Corporate Opportunity Area Revenue Close Processes ITGC Automate Controls: Lowers cost, improve effectiveness, and simplify on-going testing of controls Transform Controls from Detective to Preventive: Shifts the focus to preventing errors and improving decision information Lower Frequency of Controls: Ensuring the appropriate number of times a control needs to be performed will ensure efficiency. Lower Data Error & Rework Rates: Improves cycle time, quality of information, reduces costs and reduces risk. Improve Staffing Conditions: Enhances employee performance resulting in improved effectiveness and efficiency reducing overall cost Insignificant Controls (That are currently marked as significant): Controls that were tested in 2004 that are no longer deemed significant. Overall Opportunity: Prioritization around resource allocation to take advantage of improvements Greatest Opportunity Exists, Apply Resources Analysis Needed to Determine Resource Allocation Baseline Resources are Sufficient 20
  • 22. Driving Efficiencies: Cost Reduction Factors Life Cycle Cost Reduction Approach Scope & Plan Limit the number of in-scope processes and locations based on account characteristics. Identify key controls to test, and streamlining of processes and controls across Documentation multiple locations / divisions. Fewer documents will result in fewer external auditor walkthroughs. Limit testing to critical plants based on key control selection scoping definitions, a Testing sample across plants or division where possible. Remediation Prioritized remediation based on risk to financials. External Audit Higher reliance on management’s testing, and limited to testing subset of management’s controls. Less rework and better definitions of evidentiary requirements. Process Owner More efficient management of tasks, timeliness, and deliverables. PMO 21
  • 23. Keys to Building a Sustainable Model Formalize the compliance and governance structure Clearly define roles and responsibilities Identify and actively seek needed skills and competencies Invest in training programs that are portable and easy to maintain Understand and optimize your controls portfolio Standardize documentation across the company Integrate Section 302 and 404 – financial reporting and internal control certifications Implement a top-down, risk-based scoping approach Automate the compliance process as well as controls Align key stakeholders’ performance goals/incentives with compliance program objectives Communicate, communicate, communicate 22

×